Read me log info

Discussion in 'Malware Help (A Specialist Will Reply)' started by movie_fanatic, Feb 26, 2010.

  1. movie_fanatic

    movie_fanatic Private E-2

    Hello. I ran the Read me file and have attached my logs as suggested. I'm not sure if I have a problem or not or what I need to do at this point so I figured it would just be best to try and post my logs and see what happens. Thanks for the person who decides to help me out. I'm in extremely grateful.
     

    Attached Files:

    movie_fanatic, Feb 26, 2010
    #1
  2. movie_fanatic

    movie_fanatic Private E-2

    Here is the final log. I hope I did these right. Again, I'm very thankful to anyone who can help.
     

    Attached Files:

    movie_fanatic, Feb 26, 2010
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there and welcome. I am currently reviewing your logs and will get back to you with a set of instructions in the next post I make to you.
     
    Kestrel13!, Feb 26, 2010
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    1. Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

Driver::
Symantec Core LC

DirLook::
C:\QUARANTINE
c:\documents and settings\HP Owner\Local Settings\Application Data\{F71DF260-BC49-48A5-8826-81875D6BCF53}

File::
c:\windows\system32\drivers\kgpcpy.cfg
c:\windows\system32\drivers\kgpfr2.cfg

Folder::
C:\Program Files\Common Files\Symantec Shared
c:\documents and settings\All Users\Application Data\STOPzilla!
c:\documents and settings\All Users\Application Data\SpeedyPC

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\NoExplorer]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    2. Delete all files in the below bold folder except ones from the current date (Windows will not let you delete the files from the current day).
    3. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix.

    4. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now.
     
    Kestrel13!, Feb 26, 2010
    #4
  5. movie_fanatic

    movie_fanatic Private E-2

    Kestrel13, Thank you so much for helping. I've attached the two logs you have asked for. I've noticed my computer is acting much better. Hopefully the combofix log worked out, I had to save it as second scan for it to accept it.
     

    Attached Files:

    movie_fanatic, Feb 26, 2010
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Use windows explorer to delete the below bold file/folder:

    Confirm to me that they have deleted ok.
     
    Kestrel13!, Feb 27, 2010
    #6
  7. movie_fanatic

    movie_fanatic Private E-2

    The first one deleted ok, the second one I cannot find. There is no folder that starts with F. Also, should I do steps 4 and 5 on the Read me file? Am I rid of all the malware?
     
    movie_fanatic, Feb 27, 2010
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I am confused.... are you referring to Step 4: Configuration & Setup and Step 5: Uninstall Known Malware and Unwanted Software? If so then you should have already have done this! :)

    1. Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

File::
c:\documents and settings\HP Owner\Local Settings\Application Data\{F71DF260-BC49-48A5-8826-81875D6BCF53}\chrome\content\overlay.xul
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    2. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix.

    3. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now.
     
    Kestrel13!, Feb 27, 2010
    #8
  9. movie_fanatic

    movie_fanatic Private E-2

    Sorry I think I was thinking of other steps...I don't know. My computer seems to be running just fine. I haven't encountered anymore problems.
     

    Attached Files:

    movie_fanatic, Feb 27, 2010
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Just a little tidy up to do:

    You have combofix running from the wrong location:

    You need to ensure that you move it to directly onto your desktop now and not have it inside of any other folder, or else final steps will not work.

    Now we need to use ComboFix again.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

File::
c:\windows\system32\ezsidmv.dat
C:\WINDOWS\System32\drivers\avgntflt.sys
C:\WINDOWS\TEMP\WFV8.tmp
C:\WINDOWS\Downloaded Program Files\rufsi.dll
C:\WINDOWS\Downloaded Program Files\symdlmgr.dll

Folder::
c:\documents and settings\All Users\Application Data\Symantec

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/rufsi.dll]
"{644E432F-49D3-41A1-8DD5-E099162EEEC5}"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/symdlmgr.dll]
"{6A344D34-5231-452A-8A57-D064AC9B7862}"=-
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix.
     
    Kestrel13!, Mar 1, 2010
    #10
  11. movie_fanatic

    movie_fanatic Private E-2

    Sorry for the delay.
     

    Attached Files:

    movie_fanatic, Mar 2, 2010
    #11
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Looks good. Use windows explorer to find and delete the below bold folder:

    C:\Program Files\Common Files\is3

    Now I would like for you to restore a file:

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

DeQuarantine::
C:\Qoobox\Quarantine\C\WINDOWS\system32\ezsidmv.dat.vir
QUIT::
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\DeQuarantine.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Attach the log, and then as long as that went well, it's final steps :)
     
    Kestrel13!, Mar 2, 2010
    #12
  13. movie_fanatic

    movie_fanatic Private E-2

    Thanks!
     
    movie_fanatic, Mar 2, 2010
    #13
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You're welcome.

    Is ezsidmv.dat back in your system32 folder?

    Is the other is3 folder deleted?
     
    Kestrel13!, Mar 2, 2010
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds